Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple Where Clause

itsmevic
Communicator
‎06-24-2020 01:05 PM

I'm running the below query across the network and would like it to pinpoint that search towards two users rather than run the search across the entire network and have hundreds of users.  When I use the "where" clause and enter in both users that I'd like to search under, nothing comes back.  The moment I remove the "where" clause, data comes back.  Should my where clause positioned elsewhere up the pipe?  Or is it just a matter of incorrect syntax?

| from datamodel:"Authenticate"
| eval host=upper(host)
| search [| inputlookup hosts_upper.csv]
| search user!=svc* NOT src_user IN (system, dbagent, svc*)
| search NOT signature_id IN (4769, 4672, 4648)
| eval "Logon Type" = case(Logon_Type == 2, "Interactive", Logon_Type == 3, "Network", Logon_Type == 4, "Batch",
Logon_Type == 5, "Service", Logon_Type == 7, "Unlock", Logon_Type == 8, "Clear Text",
Logon_Type == 9, "New Credentials", Logon_Type == 10, "Remote Interactive", Logon_Type == 11, "Cached Interactive")
| fillnull value=NULL "Unknown"
| table _time action host user src app Logon_Type "Logon Type" host signature sourcetype
| where user="johndoe" OR user="janesmith"
| sort -_time

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2020 01:47 PM

It's best to put your where clause as far up the pipe as possible to improve performance.  Doing so will have no bearing on the results, however.

Your syntax looks fine, although I prefer to put parentheses around compound where clauses.

Are you sure you have the names correct?

Do you get the right results when you have just one user name in the where clause?

Here's an alternative where clause to try.

| where (match(user, "johndoe") OR match(user, "janesmith"))

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top